Protection of personal information policy
This policy aims to ensure the protection of personal information and to define the procedures for collecting, using, disclosing, retaining, destroying and managing information by GERIK, which includes management, employees, suppliers, etc. Moreover, it aims to inform anyone concerned about how their personal information is processed by GERIK, whether it be customers, employees, or any other individuals.
GERIK assumes full responsibility for the protection of personal information under its control. Information collected, used, disclosed, retained, or destroyed is governed by this policy in order to protect the privacy of every individual.
To ensure the optimal protection of personal information, GERIK’s Privacy Officer shall:
- Oversee and review internal practices and procedures for processing personal information as well as compliance with current laws;
- Suggest measures to ensure ongoing protection of personal information in line with Privacy Impact Assessments;
- Implement necessary measures within the business to ensure the protection of information;
- Ensure staff compliance and training in best practices for protecting personal information.
- Coordinate, investigate, and respond to inquiries and complaints about personal information protection;
- Communicate with the concerned individual(s) and the Access to Information Commission (CAI) in case of a data leak or any incident;
- Keep a record of personal data-related incidents.
The protection of personal information is everyone’s business. No retaliation can be made against an individual who files a complaint about the protection of personal information or participates in a CAI investigation procedure.
COLLECTION OF PERSONAL INFORMATION
Personal information collected allows GERIK to carry out its functions and activities in accordance with applicable laws and standards. GERIK collects personal information only when necessary and to serve specific, predefined purposes. Personal information is collected directly from the concerned individual and with their consent unless an exception is provided for by law.
A non-exhaustive list of the information collected and its intended use is provided in Appendix A. The majority of personal information collected pertains to employees in order to meet the business’s legal obligations. Personal information about other individuals may be requested in order to assist employees in case of emergency, for example. It is up to the employees to obtain their consent before providing us with their contact details.
As far as customer information is concerned, data is supplied to feed our files, management software, contracts and invoicing. We attach the utmost importance to the confidentiality and security of our customers’ data. All information collected, whether contact details or other personal information, is treated with the utmost rigor and in compliance with current laws and regulations on the protection of personal information. Our team is committed to implementing robust security measures to prevent unauthorized access, as well as regularly training our staff on best practices in data confidentiality. We regard the protection of our customers’ personal information as a fundamental responsibility to ensure their well-being and their trust in our services.
CONSENT AND ACCURACY OF PERSONAL INFORMATION
GERIK ensures that the collection of personal information is done for justified, clear, and specific reasons and with the free and informed consent of the person. Consent is required for any collection, use, or disclosure of personal information. Before collecting personal information, we will ensure that we obtain your informed consent in a clear and separate written form, providing clear details about the purpose of the collection and how the information will be used. Your consent is essential to ensure the protection of your personal data.
LIMITATION ON THE USE OF PERSONAL INFORMATION
We collect and use your personal information only when necessary and for the purposes for which consent was obtained. GERIK must provide certain information in order to meet the legal and regulatory verification processes and requirements. The use may vary but could serve different purposes as illustrated in Appendix A.
Information may be transmitted to third parties to the extent necessary for the purposes of the activities mentioned in Appendix A. GERIK cannot be held responsible for the behavior and usage undertaken by third parties.
Personal information will not be used or disclosed for other purposes than for specific objectives, unless required by law.
PROTECTION OF YOUR PERSONAL INFORMATION
GERIK takes all reasonable precautions and has implemented significant physical and technical measures to prevent unauthorized or illegal use of, and access to, personal information. The measures in place include, among others:
- Use of information only when necessary ;
- Ensure the confidentiality and protection of personal information that someone may have learned in the course of their duties, unless authorized to disclose it by the person concerned ;
- Protection files with selective and limited access to authorized persons ;
- Secure access to offices with locked doors and access codes ;
- Secure shredding of paper files ;
- Two-factor authentication for all platform connections;
- Immediate withdrawal of access following the end of a business relationship.
All individuals are required to contribute to the protection of personal information. If you suspect that sensitive information has been compromised, you must immediately notify the Privacy Officer.
RETENTION PERIOD FOR YOUR PERSONAL INFORMATION
GERIK undertakes to comply with the minimum retention periods provided by the category of personal information and applicable laws. However, if the information collected is no longer useful to GERIK and its retention is not necessary or mandatory according to different legislative frameworks, it will be destroyed, erased, or converted in such a way as to remain anonymous.
COMMITMENT TO TRANSPARENCY
GERIK is committed to being transparent about the processing, procedures, and purposes for which personal information is used with customers, employees, interns and business partners.
ACCESS TO YOUR PERSONAL INFORMATION
A person may request access to his or her personal information and the means by which it was collected. Depending on the content of the person’s file, exceptions may be applicable, such as personal information about a third party, however, the person will be informed. In case of inaccurate information in the file, the person concerned may request its correction.
For any consultation, withdrawal, and/or modification of personal information, please write to email@example.com. At any time, you can withdraw your consent to the communication of your personal information. A written request must be submitted to the Privacy Officer at firstname.lastname@example.org. A response will be provided to you within 30 days of receipt. When it is not possible to share the requested information, legal justification and support must be provided to back up the decision to the requester.
Une personne qui croit que leurs renseignements personnels ont été recueillis, retenus, utilisés, divulgués ou détruits de façon non conforme aux dispositions de la présente politique, peut formuler une plainte confidentielle auprès du responsable de la protection des renseignements personnels à l’adresse courriel email@example.com. L’individu devra fournir son nom, ses coordonnées, y compris un numéro de téléphone, ainsi que l’objet et les motifs de la plainte. Il est nécessaire de fournir des détails suffisants pour que la plainte puisse être évaluée convenablement. Une réponse vous sera fournie dans les 30 jours suivant la date de la réception de la plainte. Si la plainte est insuffisamment précise, le responsable de la protection des renseignements personnels peut demander toute information supplémentaire jugée nécessaire pour évaluer la plainte. Le responsable va conduire une enquête sur les plaintes reçues, minimiser les dommages et apporter les correctifs nécessaires.
Il est également possible de déposer une plainte auprès de la Commission d’accès à l’information du Québec. Toutefois, GERIK encourage les personnes concernées à communiquer d’abord avec le responsable de la protection des renseignements personnels et à attendre la conclusion du processus de traitement prévu.
La présente politique est approuvée par le responsable de la protection des renseignements personnels au sein de GERIK.
Responsable de la protection des renseignements personnels
Pour toute demande, question ou commentaire dans le cadre de la présente politique, veuillez communiquer avec le responsable par courriel.
|Concerned individuals||Information categories||Information types||Purposes for which information is retained|
|Employees||Recruitment||Recruitment information, such as curriculum vitae, educational and professional background, details of previous employers to verify employment for potential recruitment.||Internal management (resume evaluation)|
|Staffing||Information to be included in the employee file, such as first and last name, contact details, SIN, salary, bank details, employment or internship contract, emergency contacts, etc.||Internal management (example : payroll, operations, legal obligations, CNESST, RRSP, pay equity, performance review, etc.)|
|Customers and suppliers||Accounting, CRM and project management systems||Details of services requested and/or provided.
Billing and financial information, such as a billing address, bank account information or payment details.
|Internal management (IT services, cybersecurity, billing, project management, communication, information collection as part of a program, contracts, service agreements, etc.)|